What’s in the Mobile Device Management Toolbag?

Leon Erlanger is a freelance journalist who specializes in business and technology and is a contributor to the CDW family of technology magazines.

Many IT departments have sought to address the challenges of the mobile enterprise by deploying a mobile device management (MDM) solution. MDM solutions incorporate many of the features used to manage notebook and desktop PCs, such as device discovery, provisioning and lifecycle management. MDM adds other features that account for the special hazards introduced by mobile devices, such as device loss and theft. Those features include password protection, remote wiping and encryption.

Leading MDM vendors include MobileIron, AirWatch by VMware, Citrix Xenmobile and MaaS360 by Fiberlink. BlackBerry developed an enterprise solution for its devices and has since expanded to offer management of other devices as well. And major desktop management vendors, such as LANDesk and Altiris, started integrating MDM capabilities into their desktop management solutions. Many of these solutions have progressed beyond device management, adding capabilities to manage mobile applications and content.

Common mobile device management features include:

Mobile device discovery and asset management: Most MDM packages are able to detect new devices attempting to connect to the enterprise network. After devices are approved, enrolled and provisioned, MDM solutions can monitor and inventory the devices and applications stored on them.

Enrolling and provisioning new devices: Every MDM solution includes the capability for IT staff to enroll new user devices and connect them to the network. Most management solutions integrate with Microsoft Active Directory and allow users to self-enroll their devices so they don’t have to wait for IT staff to get around to it. IT managers can create the policy, settings and provisioning profile for each user, and users can quickly enroll devices through an enterprise portal and receive their profile and settings, all in a matter of minutes.

Credential and password management and single sign-on: MDM solutions provide centralized management and enforcement of device logins, personal ID numbers and account passwords, preventing lost or stolen devices from easily being accessed. Most can provide two-factor authentication and controlled single sign-on access to enterprise applications and information.

Application whitelisting and blacklisting: One of the hazards of connected mobile devices comes from users downloading applications that can be dangerous to the network because of malware or unapproved access to other applications and data, such as contacts and calendars. By allowing the IT team to blacklist unapproved applications or limiting applications to those that are specifically approved (whitelisting), MDM solutions can reduce the hazards of mobile apps.

App stores: Another way MDM allows an IT department to offer application choice while keeping careful control over users’ applications is to provide an internal enterprise app store (think Apple’s iTunes store or Google Play but without the transaction process). The app store offers only applications and, in some cases, cloud services that the organization has specifically approved. Once users have been connected and provisioned, IT staff can limit application access to the app store.

Encryption and virtual private networks (VPNs): MDM solutions can centralize the management of device encryption to protect sensitive data on the device and provide VPN tunneling to the enterprise network with robust over-the-air encryption. A relatively new feature of some MDM programs is the provisioning of per-app VPNs or “app wrapping,” which ensure that a VPN connection is made for a specific application transmission each time it connects to the enterprise, providing more fine-grained security and control than a VPN that spans the entire device.

Policy enforcement: An MDM solution also can allow the IT department to apply and enforce mobile device policies, settings and controls, based on user, group and role, including application and encryption controls. Other policies can limit or prevent jailbroken and rooted devices from connecting to the network (because these devices are more likely to have security hazards than others), and also disable Wi-Fi, device cameras, GPS, Bluetooth and other potentially hazardous features. Network access controls can also check devices to ensure they conform with all policies and updates before allowing them to connect to the network.

Device lock and wipe: Loss and theft, which can give outsiders access to sensitive information stored on a device or on an organization’s network, represent some of the most serious security hazards of mobile devices. Another hazard is workers who take their mobile work devices with them upon leaving the organization.

Most MDM solutions allow IT staff to centrally manage the capability to lock a device remotely so it cannot be accessed or to completely wipe all data and applications from the device. Newer features that take BYOD programs into account can perform a partial wipe of enterprise applications and data after a user leaves the organization.

Monitoring, reporting and analytics: MDM solutions allow centralized monitoring of devices and users, including connectivity, application downloads and use, and other functions. They can produce a variety of analytics and reports that can help the IT shop with getting a handle on mobile security, upgrading requirements and other issues involving planning for the future.

In recent years, many mobile enterprises have incorporated MDM into their management arsenal, and MDM offerings have become increasingly commoditized. A new category, called enterprise mobility management (EMM), incorporates MDM but also emphasizes management of device applications and content in addition to the device itself.